Cloudflare TV

1️⃣ In-transit data loss prevention (DLP)

Presented by Noelle Gotthardt, Abe Carryl
Originally aired on 

Join our product and engineering teams as they discuss what products have shipped today during Cloudflare One Week!

Read the blog posts:

Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!


Transcript (Beta)

Hi everyone. Welcome to Cloudflare TV. My name is Abe Carryl and I'm the product manager for Cloudflare Tunnel and I'm going to pass it over to Noelle to tell you a little about herself and what we're going to talk about today.

Hi, my name is Noelle.

I joined Cloudflare to be the PM for our new data loss prevention product, which I'm very excited and very fortunate to be working on.

And I'm here to talk today a little bit more about data loss prevention and how we're bringing it to Cloudflare.


And I should have should have welcomed, everybody, also by saying Happy Cloudflare One Week.

We're super excited to be doing this. We have a lot of interesting announcements lined up throughout the week, but one of my favorite ones is DLP.

And we have the expert in the room here to tell us a little bit about what DLP is, why it fits within the Cloudflare Zero Trust suite and some of the things first.

But before we talk a little bit about that, I'd love to learn a little bit more about your backstory, what brought you to Cloudflare and specifically what your history within, and experience looks like within the DLP space.

Yeah, so before I joined Cloudflare, I was working in insider threat and we were implementing data loss prevention tools and I really learned how difficult the space is and how hard it is for many of these companies to start securing their data.

And I had started talking to the product team here at Cloudflare and I already was familiar with the reputation and how incredibly amazing some of the products have already been and just the reputation of the company.

And so as I started talking about building this product and how much I knew it was already difficult, and so I thought that it was just a great pairing to put together this awesome team that I knew already could build awesome products and solve this really, really hard problem.

And I thought that, hey, this seems like such an adventure, like, I want to be a part of this, I want to build this.

And so if we can tackle this problem, it would just be amazing.

And so that was really what inspired me to join was cool people and a tough problem to solve.

That's awesome.

And it's cool to hear that that you got to work on kind of both sides of the equation.

So you got to kind of work in this space as a consumer of DLP technology and then coming on the other side to help build it.

I'm curious just kind of anecdotally to go a bit off script here, do you remember what the first moment was like when you first learned about Cloudflare or started getting interested or following the blog and what kind of made the connection for you to get excited about DLP at Cloudflare specifically?

I'm almost I'm almost hesitant to put this to put this on recording a little bit here, but so like I'd heard, I'd heard fantastic things I'd heard especially from the threat intel community earlier.

Like I sort of been vaguely aware of the reputation and then this is the nerdy part, is like and then I talked to Sam Rhea and I was like, this dude is just inspiring.

Like, I just want to spend time around someone who's this capable and makes me feel like we can crush the work this much.

Again, like now this is recorded for everyone to see and hear and play in the future.

But that was when it turned from a company whose reputation very vaguely was awesome to like, this is a cool person and I want to work with cool people and I'm excited about this.

Yeah, I've heard that origin story so many times of I either like stumbled on on the blog or I stumbled on Sam's Twitter, LinkedIn, and that's what it was for me.

So yeah, that, that story checks out.

Cool, well also and then before diving in a little bit more to DLP at Cloudflare and some things that we're working on first, I'd love to just learn a little bit more from you and kind of your experience of what it's been like to take a product from 0 to 1.

I think probably a lot of our viewers are interested in in product development and the product development lifecycle in general.

I'm curious, going from 0 to 1, what is the first kind of step that you took?

Was it taking that industry experience that you already had and coming in with some some idea of what was great that you wanted to continue to grow on?

Was it going to the core community and figuring out what what are everyday users on the free plans want?

Where did you kind of start that journey of doing customer discovery and doing some of that initial ideation?

That is such a good question and I still feel like I'm learning so much of that.

Like I still feel like there's so far for me to go.

But I would say sort of where I really started that was like trying to make sure that that the experience that I brought in wasn't just my own.

I was so afraid that like, right, I was coming in and I was being told that like, hey, you can learn to be a product manager, but like the reason we want you is because you have this experience with DLP.

We want you to be that voice of the customer, understand them really well.

And so my first thought process was like, okay, like make sure this isn't just about you and your experience with DLP.

This is about all of the other customers out there. And so how do I make sure I sit in front of customers and learn their stories?

And I love that that was what I was encouraged to do, was really understand where the customers are coming from, really understand the problem.

And as soon as I started to have those conversations, I immediately learned that I wasn't alone in the experiences I'd had.

The things that I was challenged... what I had been challenged by were things that a lot of other companies had been challenged by.

And so that was sort of, it was reassuring.

And then I sort of realized, okay, now I'm, now I'm a product person, now I need to learn how to make this a product.

And it was really fascinating and interesting for me because I was sitting down with an engineering team and this can vary widely kind of based on the product you launch.

But for me it was an engineering team who didn't know much about DLP.

They didn't they didn't have much experience in it.

And so it was a lot of how do I make them understand that this is what we're building and why we're building it and that it's important?

And I think, you know, again, sort of hearing from up the chain that this was a product that was really important to Zero Trust and that they were excited about it really helped them.

And then there are so many little things too, that I'm learning about helping marketing, helping sales, like all of the pieces that go into building a product that I feel like are really easy to stumble over.

And I have and they might be, but I've been like basically held up by all of these other fantastic people along the way.

And so not putting the pressure on myself to solve every problem, but just learn the people in the organization, learn where to find help.

So I think it's really been a journey of just trying to be the voice of the customer and trying to build the relationships with the rest of the organization so that I can lean on them for the things that they're really good at.

Yeah, I love that.

I think that that you hit on so many interesting points there. But but one that comes to mind is it'd be probably really tempting to just lean on your own experience and say, hey, this is how it worked in my organization.

This is what I saw.

So this is this is this is how we're going to move forward. And I think that finding ways to reach out to customers and and kind of validate or invalidate some of those things is very prudent.

And I think that that it makes a lot of sense that you went about going or went about it that way.

I'm curious since you mentioned that you talked to so many customers along the way and really figured out what they liked and what they didn't like, I'm sure part of that process was was doing that.

I think that a lot of times we naturally assume that the first thing that you do is figure out what people don't like.

But I think that it's equally as important to figure out what people love and make sure that you have that too.

So I'm curious, in your experience, what did what did you find that people really enjoyed about the product and then what were some of the things that were really difficult for customers about DLP?

Oh, great question.

Generally, I would say when people ever said that they love their product, it had been something that they had been using for a really long time and they had mastered it.

They like spent all of this time building a really, really thorough solution and being really, really invested in building that solution.

And so they had their workflow sort of cut out for them in, in their, their own organization.

And sort of meanwhile, I would say many of the customers that I spoke to that had real difficulty building solutions and had had complaints were ones that just didn't have this time to invest in building their solution and making this whole thing work.

And like basically what the answer really came down to is like you needed a ton of resources to throw at the problem and if you did have that, you could make something work that you loved because you basically built it from the ground up.

And if you didn't have that like you, you struggled because it was such an overwhelming problem and sort of the way that I would kind of like walk through that a bit is if I said to you like, Hey Abe, you're going to be in charge of finding all of the secure data within the Zero Trust organization within Cloudflare, and I want you to protect it.

And that's a big, vague thing. And that's that's not easy, right? Like how many people touch Zero Trust data and how many tools could they be sitting in?

And how do you find all that data? And then how do you put in rules that don't upset all the workflow?

And doing all that research and making sure that you have that mastered is it like a challenge that a lot of these teams have been presented with and they have a lot of different ways to tackle it.

And so my real thought process here for building a good DLP solution is thinking about that person who gets this big question and has to solve it and how do I solve it and how do I do it with limited resources?

How do I make this faster, easier, less complex? And so that's kind of been the challenge that is really at the heart of my goal for building DLP is thinking about that person who just gets the "Hey, go protect our data" and figuring out where to start and where to finish.

So that's kind of my vision for it overall.

Yeah, and I'm fortunate enough to get to work with you every day.

So I know what an empathetic person you are, but it probably makes it that much more simple to empathize with those users, knowing that you've been exactly in their shoes and being able to relate to some of their problems.

And I'm curious, so when you frame that kind of to oversimplify what you're saying, what I really hear is simplicity of deployment and making sure that that's one of the key pillars of the way that we're going about building DLP.

And I think that with so many of Cloudflare's products, one of the things that you really see is not just providing a solution, but providing an easy path to the solution and highlighting things along the way to where some of these features that we build are a roadmap to Zero Trust.

So the first step is toggling it on, but then after that, surfacing those insights and making sure that it's very easy to digest, very easy to understand, and very easy to to take action on.

I think that that's the key piece. It sounds like something that you've given a lot of thought to.


And you really did nail it exactly in a very articulate way, so I appreciate that.

And it's a journey that I think that all of us in Zero Trust are thinking about right now.

There's... you're right, this is always a big change for our customers. How do we make this easy for them?

How do we make it easy to just start and go very quickly?

Yeah, and so speaking of deployment, simplicity, how are customers currently solving this problem?

What are they using today? Are they are they easy to use? Are they easy to deploy?

What is the kind of current state of data loss prevention look like?

It's it's pretty varied.

So there's there's definitely companies that are focused on deploying solutions on the endpoint and protecting the endpoint with sort of traditional tools for DLP.

But then with that migration to SAS, there's been a huge demand for "How do I figure out what's going on on the network?" So even if you had this historical program of looking on the endpoint, well now we sort of need to migrate to a network because we've got all these different SAS tools and it's a very different architecture to be solving the problem for.

And the more customers I talk to, there seems to be this expectation or perhaps this perception that they've solved, that many companies have already solved this problem and that I'm behind if I haven't figured out where my data is going, I'm behind if I haven't protected it.

And it's sort of interesting to see that like it's such a consistent story that really the story should be like, Hey, there's no good solutions here.

There's no easy solutions here because customers are coming and saying, Hey, I haven't figured this out.

This is really difficult. We have these problems. We should have solved this already.

But then you get on the call with the next customer and they say the same thing like, How do we make this easier?

How do we make it so that we don't have customers saying, I don't even know where to start or we're behind?

But like, Hey, we need to offer something better. Let's get that to you so you're not worried like this, but also stuck in a position where you don't have a tool to make it easy.


I apologize if you end up hearing my dog barking in the background. The lawn guy just got here so he will periodically make sure that the lawn man knows that that my dog is here.

That's good and that you're protected now from the lawn guy.

Yes, exactly.

Security first. So, so why do you think that Cloudflare is in a good position to to solve this problem?

What makes...

is there anything about the network that makes it unique? Is there anything about the way that that the Zero Trust suite is already architected that makes DLP more effective than it would be, say, say in other architectures or deployments?

That's a...that's a great question, and I think there's a lot of different pieces to it.

I think sort of at a really high level, what Cloudflare loves is solving hard problems, and I don't think we are daunted by the fact that while DLP is difficult to implement, we can do it and I don't think we're daunted by that.

And so I think that is where we excel and I'm really excited to kind of...

I got here and I met all of these amazing engineers and all of these people with this fantastic amount of knowledge in so many spaces.

And so I think one, just Cloudflare as a whole, this is an opportunity that we love to see is The problem is difficult, let's get after it.

And then I think the next piece is just like I get to keep going and building on the work of previous people.

We built this fantastic network to be really fast and to solve and provide solutions at scale.

And so we already have the infrastructure for that and now my job is to build DLP specifically using that, that amazing infrastructure and the amount of speed and performance that we can provide with this solution.

And then like, right keep going.

Like me, leveraging the foundations that have been built for me and to get started here is...

just within Zero Trust alone, there's so many different pieces and facets that have already been built around identity, around being aware of the the different websites that the customers and employees are going to.

And so there's been already so much infrastructure built within Zero Trust to sort of launch DLP off of that we're in a great position.

It's now just time to go execute.

I love that.

And so so taking a step back for a second, what is it that we actually, now that we have a good foundation for, kind of how we got here, what we started building, how we went about building that, and then kind of our thoughts on the space in general, kind of the state of the space, what did we announce today?

What are you most excited about in the announcement?

So we announced that In-Line DLP is coming to Cloudflare.

I would like to say, and I'm really excited to say, we like we I know we've talked about it before.

We've had customers who've been hearing about it.

They knew it was coming, but like when is it really coming?

So we are going into beta early next quarter. I'm so excited about that.

I'm so excited to start getting it in customers' hands and getting the feedback.

And that was the piece that has really been driven home for me as a product manager is the mentality at Cloudflare is like put it in customers' hands, like they will tell you what they want.

The longer you sort of sit and stew on an answer without customer feedback is just time almost wasted per se, because it's it's only in your head, it's only my opinion, you know, maybe some engineering opinions, but it's very small scale.

The moment you put it in customers' hands, you'll get feedback.

And so that's what I'm so excited to do is launch this product, get it in customers' hands, get their feedback and and keep iterating and keep delivering for them.

Right? There's so many different ways to get after DLP and there's so many features that we're excited to build.

So we are we are excited to announce that we're doing it.

We're going into beta in a few weeks ideally, and we are very excited about it.

That's awesome.

And I and I love what you said there too, because I think that that innovation velocity kind of comes from being able to get things in the customers' hands and then being able to rotate on it very quickly and get that feedback in.

So, so it's awesome to hear kind of what we're doing there.

So is it safe to say DLP will integrate with other Cloudflare products as well?

Yeah, yeah, for sure.

That is like a key design component that we're we're really focusing on here.

So sort of to think about it and think about all of Cloudflare and everything that Cloudflare has to offer, we offer so many products for so many different customers and DLP is about understanding where your data is going, who's using it, how it's being used.

And so we have a lot of products that touch it, touch on that, right?

You could be protecting so many different portions of your network in so many different ways.

So how do we make sure that this product, DLP, is really flexible and really make sure that like OK, however you want to set up your network and whatever visibility we can get you, we will do that and we will do it to help track your sensitive data.

So we've kicked around ideas for like are we talking in launching within Gateway, but our CASB product, how do we make that integrate?

RBI like with Browser Isolation? How do we use a way where maybe we protect your data by isolating it when it's when it's being viewed?

Obviously with Area 1 email security, that's another path where you'd be interested in DLP.

And then there's other interesting Cloudflare products where it might not be something that you naturally think of for DLP, but there's probably opportunities out there for, Hey, you know, like we've got sensitive data traversing our network for our customer.

Like, what can we do to help them?

What can we do to protect them? What insights can we give them? So many opportunities there.

So, we're really designing the product with how do we think about that?

How do we scale for the future? How do we make this easy for the customer to see everything and scan everything and make that information available to them?

And can you give us any kind of insights or teasers into what it's going to look like at launch?

What are some of the first things that you're excited to release? I know that you mentioned that it will live as a as a component of Cloudflare Gateway.

And can you tell me just as a quick refresher for me, what is Cloudflare Gateway?

How will this kind of fit inside? And then what are some of those features that you're most excited for, like right at launch?

Yeah, yeah, for sure.

So it will be built directly into Cloudflare Gateway, which, and Gateway is our Secure Web Gateway product.

And so with that, customers can kind of route their traffic and decide what websites and how their employees can access the Internet.

So you can do things like block certain content categories, malware sites, etc..

And so that was sort of a natural place to start, right?

It's where you're guiding your customers' traffic and how they're guiding their employees' traffic.

And so now, as the information is sort of coming up and going down to their endpoint devices, we can scan it and try and give them some information about where the sensitive data is going, where it's getting used, who's using it so that they can start to make that assessment we were talking about earlier.

We tried to build it sort of conforming to industry standards, but also trying to make it flexible.

So we started with DLP profiles, and so the profiles are effectively like buckets, and it's a bucket of data that a customer can think about as one giant bucket of PII that they want to categorize together.

Really good example is credit cards.

So you can have a bucket of credit cards and there's lots of different types of ways to detect credit cards.

There's Visa and MasterCard and all of those many different ways that have slightly different patterns.

But to a customer, I don't want to build a detection for each individual type of credit card.

That's tedious and annoying, and why would I want to spend my time doing those individually?

I just want to detect if a credit card number leaves my network.

And so the... sort of create these...

creation simple. So we started with launching these DLP profiles to create these buckets for customers.

And all customers have to do is kind of go in and they can make the changes that they want to these profiles and say like, okay, this is the data I want to detect.

It's a credit card number. I want to make sure that I can detect this.

And then they sort of go over to Gateway, which is where they control the traffic for their their endpoints.

And they can say like, Hey, you know, for these domains or in these situations, however, they want to create the policy on their traffic, scan for DLP.

And as the traffic is sort of going up and down from that endpoint, they can say like, Oh, there's a credit card number.

You can either allow it and log it or you can just block it right off the bat.

So that's where we're building it right off the bat is right in that Gateway product and we'll start sort of letting customers toy with it there.

We have a lot of different ways we're thinking about expanding, a lot of different ways we're thinking about how do we get analytics and information to customers?

Can we build up more robust detections for them? So we have sort of ways that we're building it out, but in the very beginning it will launch with those profiles and it'll launch in those gateway policies.

Very cool.

Those profiles sound really, really helpful. And as a customer, would I have to go in and create that list of or those profiles of every credit card number of each of my employees?

Or how do I actually how do I actually detect those those credit card numbers?

And how do I actually use those as objects within my policies?

So sort of for our first go around, like all you have to do is turn on the detection.

And so we did list them out individually as like MasterCard and Visa or etc., but all they have to do is go say turn it on so they don't have to list their own specific credit card numbers or anything like that.

They just have to say like detect visa numbers or even just at the top, just say Detect all the credit card numbers if you want to do that.

So they don't have to manually deal with, ok, these are the credit card numbers I want you to detect, because I think most of our customers, that would just be an incredible burden and a little bit terrifying.

And so all they really have to do is sort of turn these on and off as they want, and then in the traffic they can scope it however they want.

So there are some customers that might just turn it on and kind of see, well, where, where do we even have credit card numbers?

Like, I don't even, I haven't even figured this out yet.

So tell me if you see credit card numbers so I can start finding them in the network.

And there are other customers that are going to say like, Hey, in this whole area of the company, anything you detect really wouldn't be a credit card number.

It's potential that there's a SKU number or some other internal identifier that would just create a false positive and there are no real credit card numbers here.

So if there's anything that's over here that's detected, maybe just log it or something, maybe just block all together because they shouldn't have them at all.

Meanwhile, over here in the finance portion of our company, we're going to have a different set of credentials set up because they do have credit card numbers.

So we want to be more focused on that.

So that's part of why you want the ability to create these policies scoped to your user group or scoped to specific domains so that you can really like twist the knobs and play with the toggles in order to to make it fit your organization.

Got it.

And for me, so I'm a bit more naive, so when we're talking about data loss prevention of a credit card.

So that's... is that just the the log record that contains the credit card number and that's just leaving my perimeter or or what is the actual DLP portion of that rule?

So sort of two pieces.

So one is the log portion.

So we have logging that will say like, Hey, this person uploaded this document, it contained a credit card number and it will just go to your logs.

And so that's a that's a really good way to learn where those credit card numbers exist within your organization is you turn it on and you just log it.

A lot of times for customers who are just starting out, if they turn it on and immediately start blocking, you'll get calls from lots of people within the company who are a little less than happy that you disturbed their workflows.

So that first step is usually creating those logs and trying to review and figure out where that information is.

As you are aware, we do have log push so that a lot of our customers will send that data over to their SIEM, start analyzing it, figuring out how they...

what they want to do next. And then sort of once you've figured out the workflow that you think is appropriate, then the DLP portion, the other DLP portion is blocking.

And so then you can say if you detect your credit card number, block it.

And so that, as you are aware, is already sort of built into Gateway.

And so like Gateway can already block based on content category or however, whatever other criteria we set up.

And so it's sort of very similar there. If you make this detection, block it.

Very similar to Gateway. Got it.

Very cool. What about inside reporting or analytics or things like that? Are those things that the DLP team is thinking about as well?

Oh, yeah, yeah.

That's a key element for us, for sure. It's definitely a piece that we're thinking about, and I think it's really core to the success of our product is how do we make that information readily available to customers?

The last thing that a lot of our smaller customers especially want is to just be inundated with logs.

I'm sure there are larger enterprise customers that are ready for that and they already get all the logging and this is what they do.

But there are a lot of smaller customers out there who are like, if you just send me a bunch of logs, I'll just be overwhelmed.

Please don't do that. Help me solve this problem.

And so getting the analytics to them, helping them decide and assess, Okay, this is where my data is going.

This is how I want to set up these rules, right?

Like that's the piece of it that we need to make easier for customers.

Like just detecting a number in traffic is good, but it's, it's not the essence of DLP in my opinion.

In in my opinion, it's getting them a way to to learn about exactly how am I going to do these rules?

How do I make it easy?

How do I make it effective? And so that's the heart of really where I want to deliver a good product.

Very cool.

So I love that and I think that that was...

that's a great kind of narrative to kind of close on, which is that we kind of got to learn a little bit about what DLP is, what it means to you, where your experience kind of lies within that space, how we went about customer discovery, what we're building, and how we went about building that.

And then some of the things that we're excited for in the future. Kind of along that same line, just real quick, anything in the roadmap that to the extent that that you're willing to share, that you're particularly excited for?

Maybe it's not an MVP, but maybe it's one of those things that you're thinking about and then kind of as a tack on to that, if you'll let me, what's the best way to reach out to you and and to get you feedback or a feature request or to get involved and to kind of stay on the cutting edge of the things that Cloudflare is doing as it relates to DLP?

A series of great questions and I'll try and remember all of them sort of as I work through it.

So features that I'm excited about I think we actually like sadly already touched on it a little bit is is because I sat in that chair of like how do we figure out and how do we protect this data and there's too much data and like it's everywhere.

And every time we think we have it locked down, someone makes a new PowerPoint and it goes somewhere else in the company that we weren't expecting.

I think that trying to solve that problem of like, how do I get the information into the hands of the customer so that they understand where their data is and where it's going is like to me that is why I took the job and why I want to do this job is like I want to make that easier and that is my goal.

And that's sort of like, like don't stop until you get there kind of a thing.

So I can't say it's a feature per se, because I think we're probably going to have a lot of different like ships that we send out sort of to get the pieces in place to deliver that.

But that's the goal and that's what I really, really want to deliver for customers.

And I'm like, I'm sure we won't get there in version one, but like, that's the whole point.

Like, get this into customer hands, get the feedback, start chasing the solution.

As far as following me and following Cloudflare, so I love our social media presence, our blog presence.

We're all present on Twitter. The blog is amazing.

We released a DLP blog earlier today to start talking about the product, which is very exciting.

And then for any of our current customers, right, absolutely reach out to any of your account executives and start talking to them and asking about DLP, asking about Zero Trust.

I know that you love spending time talking to customers as well, so if there's any...

any of us would be happy to talk to more customers about everything.

That's what I have in mind. But I actually bet that you might have other recommendations that are probably also excellent.

So I'm going to flip the question back on you and say, What are some other ways that customers can reach out to us?

I love it.

Yeah, so I plus one everything that you mentioned. So I think that the community is great. great way to find it. Your blog post was great.

So following the blog is always, always, always interesting content there.

On Twitter, if you tweet about Cloudflare, we will find it.

So so really, if you put it out into our sphere, we'll hunt it down and we'll find a way to get back to you, but any way that you can do that is great.

Reaching out to your account team, setting up workshops with us, another great way to do that as well.

So like Noelle said, I'm sure she's more than willing to do that.

I'm more than willing, and I know that the whole team is kind of on standby, ready to do that.

So it's going to be a really exciting week of announcements.

This is just the first of many in the first of many for DLP specifically.

So so I'm really excited for this. And Noelle, thank you so much for your time today.

Really excited to get this in the hands of customers. customers.

Yeah, thank you so much for taking the time and have a good one Abe.

Thumbnail image for video "Cloudflare One Week"

Cloudflare One Week
It's Cloudflare One Week, featuring an array of announcements and discussions related to Zero Trust and SASE. Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
Watch more episodes